Export limit exceeded: 10015 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11930 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-0676 | 1 Wordpress | 1 Wordpress | 2026-04-18 | 5.3 Medium |
| Missing Authorization vulnerability in G5Theme Zorka zorka allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Zorka: from n/a through <= 1.5.7. | ||||
| CVE-2026-22347 | 1 Wordpress | 1 Wordpress | 2026-04-18 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in subhansanjaya Carousel Horizontal Posts Content Slider carousel-horizontal-posts-content-slider allows DOM-Based XSS.This issue affects Carousel Horizontal Posts Content Slider: from n/a through <= 3.3.2. | ||||
| CVE-2026-22360 | 1 Wordpress | 1 Wordpress | 2026-04-18 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in AA-Team SearchAzon searchazon allows Cross Site Request Forgery.This issue affects SearchAzon: from n/a through <= 1.4. | ||||
| CVE-2026-22402 | 1 Wordpress | 1 Wordpress | 2026-04-18 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in pavothemes Triply triply allows PHP Local File Inclusion.This issue affects Triply: from n/a through <= 2.4.7. | ||||
| CVE-2026-24625 | 2 Imaginate-solutions, Wordpress | 2 File Uploads Addon For Woocommerce, Wordpress | 2026-04-18 | 5.3 Medium |
| Missing Authorization vulnerability in Imaginate Solutions File Uploads Addon for WooCommerce woo-addon-uploads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects File Uploads Addon for WooCommerce: from n/a through <= 1.7.3. | ||||
| CVE-2026-0658 | 1 Wordpress | 1 Wordpress | 2026-04-18 | 4.3 Medium |
| The Five Star Restaurant Reservations WordPress plugin before 2.7.9 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting bookings via CSRF attacks. | ||||
| CVE-2026-1634 | 2 Alexdtn, Wordpress | 2 Subitem Al Slider, Wordpress | 2026-04-17 | 6.1 Medium |
| The Subitem AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2026-0929 | 2 Registrationmagic, Wordpress | 2 Registrationmagic, Wordpress | 2026-04-17 | 4.3 Medium |
| The RegistrationMagic WordPress plugin before 6.0.7.2 does not have proper capability checks, allowing subscribers and above to create forms on the site. | ||||
| CVE-2026-1296 | 2 Wordpress, Wpshuffle | 2 Wordpress, Frontend Post Submission Manager Lite – Frontend Posting Wordpress Plugin | 2026-04-17 | 6.1 Medium |
| The Frontend Post Submission Manager Lite plugin for WordPress is vulnerable to Open Redirection in all versions up to, and including, 1.2.7 due to insufficient validation on the 'requested_page' POST parameter in the verify_username_password function. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action such as clicking on a link. | ||||
| CVE-2026-1368 | 2 Video Conferencing With Zoom Project, Wordpress | 2 Video Conferencing With Zoom, Wordpress | 2026-04-17 | 7.5 High |
| The Video Conferencing with Zoom WordPress plugin before 4.6.6 contains an AJAX handler that has its nonce verification commented out, allowing unauthenticated attackers to generate valid Zoom SDK signatures for any meeting ID and retrieve the site's Zoom SDK key. | ||||
| CVE-2026-25305 | 2 8theme, Wordpress | 2 Xstore, Wordpress | 2026-04-17 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 8theme XStore xstore allows DOM-Based XSS.This issue affects XStore: from n/a through <= 9.6.4. | ||||
| CVE-2026-25325 | 2 Rtcamp, Wordpress | 2 Rtmedia For Wordpress, Buddypress And Bbpress, Wordpress | 2026-04-17 | 5.3 Medium |
| Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in rtCamp rtMedia for WordPress, BuddyPress and bbPress buddypress-media allows Retrieve Embedded Sensitive Data.This issue affects rtMedia for WordPress, BuddyPress and bbPress: from n/a through <= 4.7.8. | ||||
| CVE-2026-25333 | 2 Peregrinethemes, Wordpress | 2 Shopwell, Wordpress | 2026-04-17 | 5.3 Medium |
| Missing Authorization vulnerability in peregrinethemes Shopwell shopwell allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Shopwell: from n/a through <= 1.0.11. | ||||
| CVE-2026-25393 | 2 Sparklewpthemes, Wordpress | 2 Hello Fse, Wordpress | 2026-04-17 | 4.3 Medium |
| Missing Authorization vulnerability in sparklewpthemes Hello FSE hello-fse allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hello FSE: from n/a through <= 1.0.6. | ||||
| CVE-2026-1219 | 2 Sonaar, Wordpress | 2 Mp3 Audio Player – Music Player, Podcast Player & Radio By Sonaar, Wordpress | 2026-04-17 | 5.3 Medium |
| The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the 'load_track_note_ajax' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the contents of private posts. | ||||
| CVE-2026-26370 | 2 Ays-pro, Wordpress | 2 Survey Maker, Wordpress | 2026-04-17 | N/A |
| WordPress Plugin "Survey Maker" versions 5.1.7.7 and prior contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed in the user's web browser. | ||||
| CVE-2026-22362 | 2 Axiomthemes, Wordpress | 2 Photolia, Wordpress | 2026-04-17 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Photolia photolia allows PHP Local File Inclusion.This issue affects Photolia: from n/a through <= 1.0.3. | ||||
| CVE-2026-22376 | 2 Ancorathemes, Wordpress | 2 Parkivia, Wordpress | 2026-04-17 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Parkivia parkivia allows PHP Local File Inclusion.This issue affects Parkivia: from n/a through <= 1.1.9. | ||||
| CVE-2026-23694 | 3 Aruba, Arubadev, Wordpress | 3 Aruba Hispeed Cache, Aruba Hispeed Cache, Wordpress | 2026-04-17 | N/A |
| Aruba HiSpeed Cache (aruba-hispeed-cache) WordPress plugin versions prior to 3.0.5 contain a cross-site request forgery (CSRF) vulnerability affecting multiple administrative AJAX actions. The handlers for ahsc_reset_options, ahsc_debug_status, and ahsc_enable_purge perform authentication and capability checks but do not verify a WordPress nonce for state-changing requests. An attacker can induce a logged-in administrator to visit a malicious webpage that submits forged requests to admin-ajax.php, resulting in unauthorized resetting of plugin settings, toggling of the WordPress WP_DEBUG configuration, or modification of cache purging behavior without the administrator’s intent. | ||||
| CVE-2026-23693 | 2 Roxnor, Wordpress | 2 Elementskit Lite, Wordpress | 2026-04-17 | 10 Critical |
| ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor (elementskit-lite) WordPress plugin versions prior to 3.7.9 expose the REST endpoint /wp-json/elementskit/v1/widget/mailchimp/subscribe without authentication. The endpoint accepts client-supplied Mailchimp API credentials and insufficiently validates certain parameters, including the list parameter, when constructing upstream Mailchimp API requests. An unauthenticated attacker can abuse the endpoint as an open proxy to Mailchimp, potentially triggering unauthorized API calls, manipulating subscription data, exhausting API quotas, or causing resource consumption on the affected WordPress site. | ||||